CQL Knowledge Base
Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.
System Process with Unauthorized Parent — Hidden Process Hunting
Detects critical Windows processes (svchost, lsass, services, winlogon, csrss, wininit) running from unusual parent processes. A key post-compromise threat hunting technique to identify process injection or masquerading used by advanced actors to hide malware within the system process tree.
Remote Authentication Spike per Account — Lateral Movement Detection
Detects accounts with more than 8 remote authentications within a 30-minute window, a pattern indicative of automated lateral movement or active use of compromised credentials for host pivoting. Aligned with Falcon Identity Threat Protection capabilities for detecting identity abuse and lateral movement in corporate environments.
Registry Run Key Modification for Persistence
Detects writes to Windows Run, RunOnce, and Winlogon registry keys, the most widely used persistence mechanism employed by malware to execute automatically at system startup. Essential for basic post-compromise triage during Incident Response to identify residual persistence artifacts per CrowdStrike best practices.
Scheduled Task Creation with schtasks.exe for Persistence
Detects the use of schtasks.exe to create or modify scheduled tasks, a basic persistence mechanism widely used by malware and attackers to maintain access across system reboots. Essential for basic host triage during Incident Response to identify residual persistence artifacts on compromised endpoints.
Kernel Driver Loaded from Non-Standard Path — BYOVD Attack
Detects the loading of kernel drivers (.sys) from non-standard paths such as Temp, AppData, or ProgramData. The BYOVD (Bring Your Own Vulnerable Driver) technique enables escalation to kernel level and EDR evasion, particularly relevant given the landscape of critical Windows driver vulnerabilities documented in 2025.
APT3 Multi-Stage CMD Reconnaissance Chain Detection
Detects sequences of reconnaissance commands executed via cmd.exe consistent with APT3 operator TTPs — chains of whoami, net user/group, nltest, ipconfig, and systeminfo from the same user on the same host, indicative of hands-on-keyboard activity post-compromise
BYOVD: Kernel Driver Loaded from Non-Standard User Path
Detects the Bring Your Own Vulnerable Driver (BYOVD) attack by identifying kernel driver loads from paths accessible to unprivileged users. A technique documented in the Windows Privilege Escalation 2025 report for escalating to kernel level, disabling EDR including Falcon, and implanting rootkits. Legitimate OS drivers are never loaded from Temp, AppData, or Downloads.
ClickFix Initial Access: LOLBINs Spawned from Web Browser
Detects the ClickFix pattern where popular browsers spawn script interpreters or LOLBIN binaries with suspicious arguments. An active initial access technique used by the LeakNet ransomware group: the user pastes malicious clipboard commands believing they are following legitimate support or CAPTCHA instructions.
ClickFix: Browser-Spawned Scripting Engine for Initial Access
Detects the ClickFix social engineering initial access technique used by LeakNet and other ransomware actors, where attackers use fake browser prompts to trick users into running clipboard-copied commands. Flags scripting engines spawned directly from major web browsers — a high-confidence indicator of clipboard-hijack campaigns
Cloud CDR: IAM Privilege Escalation — High-Risk API Operations
Detects sequences of high-risk cloud API calls used in IAM privilege escalation across AWS, Azure, and GCP. Aligned with CrowdStrike Real-Time Cloud Detection & Response capabilities announced in April 2026. Covers the standard cloud attacker playbook: role creation with modified trust relationships, permanent access key generation, attaching permissive policies, and adding users to privileged groups.
Deno Runtime Abused as Malware Loader (LeakNet TTP)
Detects suspicious execution of the Deno JavaScript runtime outside developer contexts, matching the LeakNet ransomware gang technique of using the open-source Deno runtime as a malware loader for initial access. Flags Deno processes spawned from non-developer parents with execution or network permission flags
Deno Runtime as Malware Loader: LeakNet Ransomware Campaign
Detects abuse of the Deno runtime (open-source Node.js alternative) as a malware loading platform, a technique documented in the active LeakNet ransomware campaign. Deno executes remote code with granular permission flags that bypass PowerShell and wscript-based controls. Its presence on corporate endpoints is inherently anomalous.
Executable Launched from Windows Temp Directory
Detects processes executing from Windows temporary directories — a common indicator of malware droppers, ransomware payload staging, and post-exploitation download-and-execute patterns. Beginner-friendly detection query for initial triage of suspicious execution paths, covering AppData Temp, Windows Temp, and root Temp locations
Web Exploitation: Anomalous Child Process from IIS Worker Process w3wp.exe
Detects deserialization exploitation in ASP.NET applications through anomalous child processes launched by w3wp.exe. Covers CVE-2025-53690 Sitecore ViewState, RCE in React Server Components via Flight protocol, and critical vulnerabilities in Fortra GoAnywhere MFT. High-fidelity indicator: w3wp.exe should never spawn shells or reconnaissance tools in production.
Basic Detection: PowerShell Executed with EncodedCommand Parameter
Fundamental detection query that identifies PowerShell executions with the -EncodedCommand parameter or its abbreviation -enc. A basic but consistent indicator of malicious obfuscation present in most modern ransomware campaigns (LeakNet/ClickFix) and in post-exploitation stages of critical 2025 vulnerabilities. Ideal as a first query for analysts new to CrowdStrike LogScale.
Whoami Execution by Any Parent Process
Basic detection of whoami.exe execution across all endpoints — one of the most common post-compromise enumeration commands used by attackers to identify current user context after initial access. Ideal for beginner threat hunters and SOC analysts building a baseline of identity enumeration activity in LogScale
WMI-Spawned Command Shell for APT Lateral Movement
Detects cmd.exe or PowerShell processes spawned by WmiPrvSE.exe and executing reconnaissance, enumeration, or persistence commands — a high-confidence APT lateral movement indicator. WMI-spawned shells running enumeration commands are a persistent hallmark of hands-on-keyboard operators including APT3 and other nation-state actors
ALPHV BlackCat Ransomware - Windows Defender Disablement via PowerShell and Registry
Detects PowerShell and service control commands used by ALPHV BlackCat ransomware operators to disable Windows Defender and related AV services before deploying ransomware payload, consistent with pre-encryption TTPs documented in the DOJ BlackCat disruption case where two operators pleaded guilty to targeting multiple U.S. victims
APT Network Discovery Sequence — 5 or More Tools Within 30-Minute Window
Identifies hosts running 5 or more distinct network reconnaissance binaries (ping, nslookup, nltest, arp, route, netstat, ipconfig, tracert) within a 30-minute window. This multi-tool burst pattern is a high-fidelity indicator of hands-on-keyboard APT operators performing internal network mapping after initial compromise, consistent with APT TTPs analyzed in Azeria Labs and CrowdStrike threat intelligence reporting.
APT3 Multi-Stage Windows Command Shell Reconnaissance Chain
Detects hosts where cmd.exe or PowerShell execute 3 or more inline reconnaissance commands (whoami, hostname, net, systeminfo, nltest) within a session. A high-fidelity hands-on-keyboard indicator attributed to APT3 and similar threat actors documented in CrowdStrike Falcon IR investigations.